RE: Bouncer, Guide from Mike O'Neill on 2016-08-19 (public-tracking@w3.org from August 2016)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 19 Aug 2016 21:09:37 +0100
To: "'Joseph Lorenzo Hall'" <joe@cdt.org>
Cc: <public-tracking@w3.org>, "'Jeff Jaffe'" <jeff@w3.org>
Message-ID: <13d501d1fa55$9ce9fec0$d6bdfc40$@baycloud.com>
I think at one time back before 2012 DNT:1 was suggested as a valid response meaning "if have seen your DNT:1 and am respecting it", but I don't know why w3.org implemented it like that. Tk: 1 has not been a valid response in the TPE since before I joined the group in 2012. I have pointed it out before on this list.

I think there are a number of issues arising now with the API not being implemented in browsers, one of which being there has to be a protocol for whitelisting, i.e. letting sites get consent for tracking. If there is no whitelisting DNT becomes an unchangeable condition, and sites will resist having to respect it. That’s why we have to be able to use other responses in the Tk header e.g. "C" for out-of-band consent (where a cookie overrides DNT). This kills caching, performance and costs money, but the answer to that is for the browsers to implement the API ASAP.

If we had widespread support for the API it hardly matters what the Tk response is IMO, but while we don't, it does.


-----Original Message-----
From: Joseph Lorenzo Hall [mailto:joe@cdt.org] 
Sent: 19 August 2016 19:39
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: public-tracking@w3.org; Jeff Jaffe <jeff@w3.org>
Subject: Re: Bouncer, Guide

The point being Tk: 1 cannot serve as an analog to Tk: T as that's not
actually what is happening on the sites that are doing this now?

On Thu, Aug 18, 2016 at 11:56 AM, Mike O'Neill
<michael.oneill@baycloud.com> wrote:
> Bouncer lets you quickly see how sites respond to DNT. It shows there ae quite a few sites responding with Tk: 1 , which is not one of the valid values in the TPE https://www.w3.org/TR/tracking-dnt/#tracking-status-value
> Sites that do this include the GCHQ!  www.gchq.gov.uk, but also w3.org. I imagine the reason so many sites gets this wrong is because of the W3C example.
>
> I think the reason the w3.org site team did this may have been confusion on what TSV to use. If no tracking occurs then the obvious response would be Tk: N, but the W3C also uses an authentication cookie UID. Because images are often loaded on other sites e.g. https://w3.org/2008/site/images/logo-w3c-mobile-lg
> w3.org ends up being an embedded third-party, so should return Tk: T when the authentication is present, but this breaks expiration caching as Roy has pointed out.
>
> If this was the reason it is unfortunate that it wasn’t brought up here.
>
> The situation could be addressed in 3 ways.
>
> 1) W3C site is changed to return Tk: T for DNT logged in users, otherwise Tk: N, and support verification caching. This would create a bigger load on W3C servers though for UAs other than IE (assuming w3.org also uses the API).
> 2) We add a new permitted use to the TPE with a new qualifier code L for first-party login. It can only be used for that purpose, and is discarded if seen as an embedded third-party.
> 3) We do 2) but also accept the situation as de-facto, and make a TSV of "1" an alias for "C" with an assumed qualifier of "L" (and an implied commitment to discard the UID as above)
>
>
> Mike
>
>
>
> -----Original Message-----
> From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
> Sent: 10 August 2016 19:12
> To: public-tracking@w3.org
> Subject: Bouncer, Guide
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Following today’s call, here again  is the Chrome browser extension Bouncer
> https://chrome.google.com/webstore/detail/baycloud-bouncer/bplgfejjkplajgmkcbbgaeceamceohkc?hl=en-GB&gl=GB
>
> It shows how sites and third-parties respond the DNT, if they have a TSR, EFF Policy, TSV response header etc. Click on the TSR one to see the actual TSR
>
> It implements the full API, use this test page to exercise it:
> https://baycloud.com/api/test
>
> and here again is the DNTGuide document:
>
> https://trackingprotection.github.io/Implementation/DNTGuide/
>
> Mike
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/
> Charset: utf-8
>
> iQIcBAEBAgAGBQJXq25gAAoJEOX5SQClVeMPMxQP/12nPX0vU2W3A9fCDL5NKPal
> BwUtJAq4WXl+PZbsaEJpHfnhIOuZoDfiYbOX4qQpeEQ0Js5+AXMNJ/3efxY2J37b
> OWxWhkg076Et/hm0Z2J8iwEuumrrct0+eAQMZXy+zXv6GQkk6W2RxGAbs8KgWmX7
> gBSvu6wH/Ttpqlmd/cr1OKmuOB6D3RlYtaUiE0dqvQZKnfLnVF8frzozC4cRR0gx
> aOu7F/QjBRqBX6U4SUn6hsnvIwNSvKyQwS9rrPFSyo24kV+mDAhBwLOyqZ17yzff
> R2iD9Fh5LHUrcx3kXekr+jyIcLXD2roNCLdQXIhv3qilNPIxng9OgHyKLiRl/UMu
> 9u3sneVF16By4Bwt9heNMe/RfuvGs8wslRY7xJXphSiuyYDpYkTob6uyEQ2ayKn/
> XVvses/T/HsI0VNX+DqIPwbwQcjj6yb/WTSMi0A14psY8jhcAxsyu9g63YJS0haK
> TgaKqlPJ6GD0WKVZjAIRBfVOFgQWRCiPydEkIJQImw02beOsSo9J0JmDsR1LGiNE
> VF9ci7qHTEiCHrO2O3uY2Nka853TKOMXKKQJb1CkOLocn0XupiNFAmweQsb155/W
> LjfYpo9Xw6Ma/nrjFuU8QK7sZkdgoqivFUbc8fuI0nMQunufHcagrszBamlMYe0N
> OcVFXJLlquq16W8fzMiM
> =i1Dg
> -----END PGP SIGNATURE-----
>
>



-- 
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
Received on Friday, 19 August 2016 20:10:20 UTC